similar to: ipfwadm and filtering ICMP?

On Tue, 16 Jun 1998, Avery Pennarun wrote: > Here is the script I use on my home IP masquerade system. It is designed > to deny everything except what is specifically allowed in some of the > definitions near the top. Note that there is one fatal problem -- the > input firewall is changed to allow incoming data back to ports 1024 > through 65535, because any of those might have

* I sent this to the guy doing the Securing RH 5.x online book, but this is not RedHat specific, should be good for all Linux'es (?). I haven't seen anything on here about this, so my apologies if maybe I missed it. >Date: Thu, 30 Jul 1998 08:37:27 -0400 >From: Alan Spicer <aspicer@ebiznet.com> >Organization: Electronic Business Network >X-Mailer: Mozilla 4.05 [en]

[mod: Just to show you that people DO get bitten after a bugwarning has gone out on linux-security..... -- REW] -----BEGIN PGP SIGNED MESSAGE----- Content-Type: text/plain; charset=us-ascii Has anyone been hit with the Bind Inverse Query Buffer Overrun on their Linux servers? We have had 3 servers attacked using this expoit and all of the machines had several binaries replaced with trojan

Since it seems that named is theme of the month. I though I would present an example of using firewall to protect your bind service. One of reasons for presenting is that in all examples shown so far it seemed that everyone suggested to leave named full-open. However, it does not always have to be case. Say, if you are running an private network then you want just to allow named get data

I guess you are in what I think of as "Newbie Hell." It sounds like you are learning linux like a lot of people, all by yourself. That's how I did it, and it is maddening and worse, very time consuming. The important thing is not to keep hitting your head against the brick wall over and over. So, what to do. First, I would join a linux email support group. I belong to a very good

Hi, I was wondering how a linux box configured as a firewall stacked up against some of the commercial products like checkpoint-1 and gauntlet. Can someone direct me to a good book or online doc that compares linux to some other firewall methods? Mind you, I''m not talking about a firewall in the classical sense, ie ip forwarding turned off and used as a proxy, but the typical Linux box

Hi, I had installed squid with ntlm authentication and content filtering from this tutorial: http://www.howtoforge.com/dansguardian-with-multi-group-filtering-and-squid-with-ntlm-auth-on-debian-etch. Next to last point is firewall configuration by ipmasq but I have installed shorewall. This is content of I89tproxy.rul file: #!/bin/sh # # redirect http requests to non-local hosts to the

Michel, One approach that hasn't been suggested is to block access to the netbios nameservice port on the samba host with a firewalling rule. That way the other computers on the subnet can't register themselves with nmbd. Suppose that your internal network is all within the 192.168.15.0/24 network. Each Windows workstation will automatically announce itself with a udp packet broadcast

Are there any known vulnerabilities in portmap (redhat''s portmap-4.0-7b)? I''ve been receiving a lot of attempts to access the portmap port on some linuxppc machines I administer by various machines which clearly have no business with mine, and I wonder if this is an attempt to break in to my machines. I''ve searched some archives, but I haven''t yet found any

Hello, I would normally not write this list to announce an update to a software package, however there have been a number of very significant changes to this program that users of it may want to upgrade and new users may want to check out. What it is =-=-=-=-=- Sentry is a port scan detector for Linux, *BSD, and most UNIX variants. What it does =-=-=-=-=-=- Sentry monitors your systems for

Hi , I am new to this puppet. I am implementing a network where my cisco switch will contact the puppet server for getting the configuration. I tried installing open source puppet and was successful in pushing down the configurations. I wanted then to try the same exercise with puppet enterprise 3.1. I installed puppet enterprise in a different server and changed my puppet agent (switch) to

Hi All Is the filter rule bellow supposed to classify icmp request/reply packets? $TC filter add dev eth2 protocol ip \ parent 1:0 prio 1 u32 \ match ip dst 192.168.0.1 \ match icmp type 8 0xff flowid 100 $TC filter add dev eth2 protocol ip \ parent 1:0 prio 1 u32 \ match ip dst 192.168.0.1 \ match icmp type 0 0xff flowid 100 it is accepted by tc but I think it is not

Hi All Is the filter rule bellow supposed to classify icmp request/reply packets? $TC filter add dev eth2 protocol ip \ parent 1:0 prio 1 u32 \ match ip dst 192.168.0.1 \ match icmp type 8 0xff flowid 100 $TC filter add dev eth2 protocol ip \ parent 1:0 prio 1 u32 \ match ip dst 192.168.0.1 \ match icmp type 0 0xff flowid 100 it is accepted by tc but I think it is not

I just had a remote root break-in on my machine (x86 running Red Hat Linux 5.0 with all the updates except for kernel-2.0.32-3) this morning at 06:03:28 EDT. From what I''ve been able to gather, it appears to have been through snmpd, which I missed when I was weeding out unused daemons. Sorry for the feeble message, but all I know (or at least strongly suspect) is that there''s a

I was wondering if anyone here has or knows how to implement ttysnoop w/ssh ?

Hi, I've searched for lots of messages similar to this, but none as detailed as this, and I haven't seen an answer that helps me. I have a Win 2000 machine that has some file shares on it. These shares are international; files and directories have characters from many languages. The system codepage is set to 932. I'm using the smb binaries from samba 3 to mount these shares on a

Full_Name: Bas Zimmerman Version: 2.7.0 (2008-04-22) OS: Windows 2000 Pro SP 4 Eng Submission from: (NULL) (62.51.53.106) Running the following line of the R-code SurvivalEnsembles.R, part of the MBoost package results in a program crash: 'AMLrf <- cforest(I(log(time)) ~ ., data = AMLlearn, control = ctrl, weights = AMLw)' This package received a OK-check, see

Hello Ralph I ran the opusenc.exe on a wave file and checked the OpusTag section. My concern is on Total Segment Size being >> than the actual data being put. Is this just an example of implementation or does a size of 764 BYTES kept as a place holder for putting more data? 4f 67 67 53 = Oggs 00 = Version 00 = Header 00 00 00 00 00 00 00 00 = Granule Position a5 73 00 00 = Bit Stream

Hello Jean-Marc, So for the moment we can assume that this method is also OK to use? On Embedded Systems, both SRAM and Flash can be a restricting factor besides the compute time. To optimize the utilization of embedded resources, may I suggest a simplification of the Ogg-Opus format and can this be considered by the Opus org and IETF as an addition? Regards Amit On Wed, May 11, 2016 at 12:09

I'd like comments (suggestions, improvements, messages that start with "you moron you forgot that. . .") on the following horrible dirty kludge to make a (nearly, with any luck) un-hackable set of shares available to specific users on the internet. On the Server, initially all packets bound for port 139 are rejected as the default policy. The server is connected to the internet full